data management applying data analytics to a continuous auditing / continuous controls monitoring...
TRANSCRIPT
Data ManagementApplying Data Analytics to a Continuous Auditing / Continuous Controls Monitoring Solutions
Parm Lalli, CISA, ACDA
© 2009 Sunera LLC. All rights reserved.
2
Sunera Snapshot
Professional consultancy focused on regulatory compliance, internal audit, information security & technology services
Founded by former public accounting partners and professionals
Delivered more than 900 projects for 200 clients across a broad spectrum of industries
Employ 120 full-time professionals in Twelve offices across the United States and Canada
PCI certified security assessor
Registered with NASBA to offer CPE’s for our Internal Audit training courses
Certified integration partner for leading continuous controls monitoring solutions, including ACL, Approva, Lumigent, and SAP.
3© 2009 Sunera LLC. All rights reserved.
Sunera’s Data Management Practice Leaders
Parm Lalli is an ACL Certified Data Analysts (ACDA) and is the Canadian National Director for our Data Management Group. Parm has over 10 years of Data Analytics experience leading many Continuous Controls Monitoring implementations for organizations within many different industries. Parm has worked very closely traditionally with ACL and ACL products. Prior to joining Sunera, Parm was employed with ACL and worked with Audit departments, Business Unit Managers, and end users to address their Data Analytics needs using ACL. He worked on developing scripts across many different industries and applications. Parm has on a continual basis advised on the different strategies to overcome challenges on a successful Data Analytics implementation.
Peter Armstrong is also an ACL Certified Data Analyst (ACDA) and is one of the founding members of Sunera. While with Sunera, Peter has worked with many of our clients in implementing data analytics and continuous controls solutions. In addition, Peter has led many training sessions for ACL. Prior to forming Sunera, Peter was a Partner with KPMG and led risk-based services initially in Calgary and subsequently in the North Florida region. He has over 25 years of work experience with Sunera and KPMG in locations within Canada, New Zealand and the US. Peter is a Chartered Accountant (CA) and a Certified Information Systems Auditor (CISA).
Peter started working with ACL in 1991 and has worked with every version of ACL. In 1994, he held the first “advanced” ACL training course in North America which was attended by Internal audit professionals from across the US and Canada. Recently, he has taught version 8 and 9 to the Internal Audit departments of Wellcare, OSI, Burger King, RCCL, NCL, PNG, and the Cities of Tampa and St Pete.
4© 2009 Sunera LLC. All rights reserved.
What is Continuous Controls Monitoring
Continuous Controls Monitoring (CCM) is the term used to describe techniques of continuously monitoring and auditing an IT system. Typically CCM solutions will be applied to Enterprise Resource Planning systems. A Continuous Controls Monitoring solution can help to reduce compliance costs (through decreased manual controls and manual testing of those controls), strengthen a company's internal control environment and reduce the risk of unintentional or intentional errors and fraud.
The key objective of CCM is:
– To enable near real-time and regular monitoring of control effectiveness.
By monitoring the compliance with key controls, your organization can obtain ongoing assurance on the accuracy and validity of large volumes of data flowing through your systems, enabling the isolation and containment of control failures on a timely basis.
5© 2009 Sunera LLC. All rights reserved.
Common CCM Tools
A number of tools are available. The right choice will depend on the each companies business requirements, including considerations such as how well the proposed tool will integrate with existing systems and tools
– ACL
– SAP or Oracle GRC
– Approva
– Oversight
– Actuate BIRT
– Actuate e.Reports
– Cognos 8 BI Report Studio
– Crystal Reports
– InformationBuilders WebFOCUS
– JasperServer/iReport
– Microsoft SQL Server Reporting Services
– MicroStrategy Report Services
– SAS Web Report StudioGartner February 2009: Critical Capabilities for Business Intelligence Reporting
6© 2009 Sunera LLC. All rights reserved.
Types of Data Analytics?
Ad hoc Analysis
Time consuming
Data typically supplied by IT
Up to 50% more budgeted time required
Difficult to repeat tests if not documented
Exploratory type analysis
Repeatable Analysis
More skilled required than Ad Hoc testing
Pre-defined scripts created to perform same tests over and over again
More consistent and can be run more frequently
Data may be supplied by IT but imports are automated
Good documentation for the scripts / analytics
7© 2009 Sunera LLC. All rights reserved.
Types of Data Analytics?
Centralized Analysis
Development, storing, and running of repeatable analytics is centralized
A single, powerful server is setup for the repeatable analytics
Data Imports are all automated
Standards in place for developing tests and scripting
Source data and results are stored on server
Better security for data files and result files
Great deal of documentation on tests, scripts, data, and sample logic
Continuous Auditing
Process of performing audit related tasks in a continuous manner
Continuous risk and control assessments types of testing
Compliance (SOX) control testing
Security event monitoring
8© 2009 Sunera LLC. All rights reserved.
Types of Data Analytics?
Continuous Controls Monitoring (CCM)
Very skilled and experienced individuals are able to script and implement
All analytics and data imports are fully automated
No interaction from end users required
Allows for notification to be sent to Business Unit Manager about exceptions identified
May involve a web dashboard interface, workflow, remediation tracking, and heat maps
Better role based security for reviewing results
May provide Management with areas for improvement with Internal Controls
A better likelihood of identifying fraudulent activity
Acts as a very good deterrent system
9© 2009 Sunera LLC. All rights reserved.
Benefits of Data Analytics
Access data from many disparate sources
Independent of the systems and people being audited
100% transaction coverage with unlimited file sizes
Read-only data access to ensure the integrity of the data
Audit Trails are available to identify steps taken
Scripting/batching capabilities to capture test logic (like macros)
Very fast to run and produce results
Easier to comply with the provisions of Section 404 of the Sarbanes-Oxley Act
Close control loopholes before fraud escalates
Quantifies the impact of fraud
Cost-effective
Acts as a deterrent
Can be automated for continuous monitoring
Provides focus based on risk and probability of fraud
Direct pointers to critical evidence
Support for regulatory compliance
Logs for review and evidence
Scalability – Build on what you need
External Audit reliance
10© 2009 Sunera LLC. All rights reserved.
Data Analytics Automation Benefits
Validate effectiveness of internal controls
Identify occurrences of potential fraud
Identify transactional errors
Identify segregation of duties violations
Identify process deficiencies
Technology driven process
Tests 100% of transactions as opposed to sampling
Access data across disparate systems and geographies
Provide prompt notification of control breakdowns
Quantified exposure of business risk
Provides an auditable history of compliance tests and follow-up activities
Enables better allocation of skilled Audit/Technical resources within the organization
11© 2009 Sunera LLC. All rights reserved.
What are the Challenges?
IMPLEMENTING CHANGE!!!!
Change in culture for the organization
Defining what CCM can accomplish
Large volumes of data in multiple applications
Understanding data and processes
Monitoring of manual controls
Current reliance on reporting
Cost to implement
Ability to integrate with multiple compliance frameworks and into the existing IT environments
HOW DO YOU MAXIMIZE YOUR INVESTMENT IN CCM????
12© 2009 Sunera LLC. All rights reserved.
Where to Apply Data Analytics
What controls are eligible for automated testing?
Electronic data is available and accessible
Access to data through an automated process is possible
Rules can be documented or captured within test logic
Internal controls and Compliance controls
What are the ideal conditions for automated testing?
Large number of controls are in place
Large volumes of data
Multiple systems and data sources
Data at multiple locations
Capture fraudulent activities prior to a transaction reaching the end of a process
13© 2009 Sunera LLC. All rights reserved.
Data Analytics Steps for Mature Rollout
Steps for Implementing Continuous Controls Monitoring / Auditing
1. Vendor selection and product evaluation
2. Assess controls
3. Scope and design system requirements
4. Data warehouse implementation
5. Data access requirements definition
6. Analytics script development
7. Results verification and review
8. Adjusting logic, parameters, and thresholds
9. Rollout
14© 2009 Sunera LLC. All rights reserved.
Data Analytics Project Team
Project Team Skills
– Project Manager – Organize and manage all resources to complete the implementation project within the defined scope, time, and cost
– Business – Key owners of each business process to be monitored
– Audit – Process and control experts to identify areas of risk and test design
– IT – Key owners of the data and primary systems related to each of the processes
– Technical – Specialized experts to build, configure, and implement the monitoring tools
15© 2009 Sunera LLC. All rights reserved.
Data Analytics – Sunera Approach
Step 1
– Review existing business process risk documentation
– Review existing analytics for efficiency and effectiveness
– Updates existing analytics for full automation
Step 2
– Conduct additional reviews of business processes and identify risk areas
– Identify opportunities for improving process through Data Analytics
– Identify analytics opportunities within specific business processes
– Identify and verify all compensating controls
16© 2009 Sunera LLC. All rights reserved.
Data Analytics – Sunera Approach
Step 3
– Add Risk Rating for identified analytics across business units
• High, Medium, Low
– Quantify risk areas based on business units ($$)
– Obtain Management agreement on ratings and quantitative measures
Step 4
– Create “Requirements Documentation”
• Data Requirements from all available sources
• Confirm test logic
• Confirm required parameters
• Confirm reporting fields
– Obtain agreement and sign off on Requirements document
17© 2009 Sunera LLC. All rights reserved.
Data Analytics – Sunera Approach
Step 5
– Obtain sample data from all required sources
• Directly or Data dump
– Verify data based on Requirements document
• All fields present
• No corruption of data
– Perform Data Preparation
Step 6
– Create scripts for tests
– Create excel result sets
– Have end user and / or Business Unit Manager verify results
– Tweak any tests to remove false positives
18© 2009 Sunera LLC. All rights reserved.
Data Analytics – Sunera Approach
Step 7
– Create scheduling for all tests
• Daily, weekly, monthly, quarterly
– Move all pieces into production environment
– Verify data connections / feeds
Step 8
– Create documentation for handoff
– Provide training to CCM stakeholders
19© 2009 Sunera LLC. All rights reserved.
A Mature Data Analytics Overview
Self contained on dedicated server
Fully automated and scheduled
Alerts to Business Unit Managers or stakeholders of results
Clear and concise documentation
– For all scripted analytics
– For setup and configuration
Training provided to any and all individuals involved; including new hires
Ongoing review of existing analytics and possible new analytics based on new business processes
Maintain a Change log for any addition or removal of scripts or changes to configuration
20© 2009 Sunera LLC. All rights reserved.
Data Analytics – Non-Industry Specific
Accounts payable Phantom vendors
Vendor / Employee collusion
Purchasing Purchase splitting
Purchases without Requisitions
Purchase cards Inappropriate, unauthorized
purchases
Travel & Entertainment Expenses Duplicate claims, inappropriate
activity
Payroll Phantom employees
Unauthorized overtime
21© 2009 Sunera LLC. All rights reserved.
Data Analytics – Non-Industry Specific
Accounts Payable
Questionable invoices
Invoices without a valid P.O.
Sequential invoices
Over-billing
Quantity shipped less than quantity ordered
Pricing outside norm for product category
Item shipped of lower value than item ordered
Duplicate invoices
Multiple invoices for same item description
Invoices for same amount on the same date
Multiple invoices for same P.O. and date
22© 2009 Sunera LLC. All rights reserved.
Data Analytics – Non-Industry Specific
Purchasing
Questionable purchases
P.O./invoices with amount paid > amount received
Purchases of consumer items
Split purchases
Similar transactions for same vendor within specific timeframe
Inflated prices
Compare prices to standard price lists or to historical prices
Phantom vendors
Vendor/employee comparison
Vendor has mail drop as sole address
23© 2009 Sunera LLC. All rights reserved.
Data Analytics – Non-Industry Specific
Purchase Cards
Split purchases to avoid purchasing card limits
Purchases processed as two or more separate transactions
Identified by isolating purchases from specific vendors within short periods of time
Favored vendors for kickbacks
Trend analysis to compare current transaction volumes to previous time period
Suspicious purchases
Transactions that occur on weekends, holidays, or vacations
Travel related charges not on travel expenditure reports
24© 2009 Sunera LLC. All rights reserved.
Data Analytics – Non-Industry Specific
Time and Expense
Duplicate claims
Submitting claims twice
Tracking “no receipt” claims
Isolate expenses without receipts and identify underlying trends through profiling techniques
Threshold reviews
Track personnel exceeding thresholds
Inappropriate activity
Compare expenses to travel records to ensure expenses claimed for valid trips
Trends by employee compared to peers
25© 2009 Sunera LLC. All rights reserved.
Data Analytics Sample Logic
Duplicates
• Exact Duplicate – All fields identical within investigation period
• Almost Duplicate Variance, Same-Different Duplicates
» Purchase Order: Same Vendor and Similar Amount
» Payments: Different Vendor Same Bank Account
» Payments: Same Vendor Different Invoice Number Similar Amount
» Payments: Same Vendor Same Invoice, Same Amount, Different Date
» Payments: Same Vendor Name, Same Amount, Same Date, Different Vendor ID
26© 2009 Sunera LLC. All rights reserved.
Data Analytics Sample Logic
Authorization Limits
• Single and multiple accumulated values exceeding limits
• Transaction amounts that exceed or are just below the authorization limit
» Requisitions, Purchase Orders, Invoices, Payments
• Accumulated transaction amounts that exceed the authorization limit
» Split Requisitions, Split Purchase Orders, Split Invoices, Split Payments
Aging
• Single Record Age
» Days difference between Create Date and Approval Date
» Stale Requisitions, Stale Purchase Orders, Stale Invoices
• Multiple Files Aging
» Retroactive PO vs. Invoice (Invoice Create Date prior to PO Create Date)
27© 2009 Sunera LLC. All rights reserved.
Data Analytics Sample Logic
Data Quality
• Identifying fields where critical data elements deviate from expected values and formats.
» Invalid ID formats, missing key values, invalid characters, invalid values
» Requisitions, Purchase Orders, Invoices, Received Goods, Payments
Matching (Join) - Amounts over variance thresholds
• PO Line Item vs. Invoice Line Item
• PO Line Item Quantity vs. Goods Received Quantity
• Accumulated Invoice Line Items vs. Payment
• Accumulated Invoices vs. Bulk Payment
Unmatched (Join) – Orphaned records or missing records
• Unauthorized Users: Requisitions, Purchaser
28© 2009 Sunera LLC. All rights reserved.
Data Analytics Sample Logic
Example Analytic Logic
– SOD Security Table Level
• Comparing roles within ERP security tables to a conflict matrix
– SOD at Transaction Level
• Single Record Create/Modify vs. Approve
» Requisitions, Purchase Orders, Invoices, Payments
• Multiple files
» Create/Modify PO vs. Create/Modify/Approve Vendor Master Update
» Create/Modify PO vs. Receiver ID for Goods Received
» Create/Modify PO vs. Create/Modify Invoice
29© 2009 Sunera LLC. All rights reserved.
Data Analytics Sample Logic
Numeric Pattern Matching
• Benford digital analysis: Exceptions which reveal themselves as digital anomalies.
» Higher than expected PO amount of $49,000, bypassing controls on amounts over $50,000.
• Numeric Sequence or Gaps: Exceptions which reveal themselves in a numeric sequence or gap.
» Invoice Number Sequences (suspect invoices)
• Transactions with even dollar amounts based on a divisor number, minimum transaction count, and threshold value.
» Expense Report Amounts with even dollar values
30© 2009 Sunera LLC. All rights reserved.
Data Analytics Sample Logic
Date Pattern Matching
• Suspect transaction dates occurred on a weekend or holiday
» Expense Report transactions on weekends or holiday
• Period close dates
» Journal Entries where the current entry date is within a specified number of days prior/after the period close
Variance Tests
• Count and amount variance as compared to a yearly average.
» Invoice vendor product price variance
» Excessive vendor invoice counts
31© 2009 Sunera LLC. All rights reserved.
Data Analytics Sample Logic String Pattern Matching
• Name Match (% word match)
» Word exclusion lists to remove common words like: The, company, and, etc.
» Invoice: Employee Vendor Name Match – (Phantom Vendor)
» Invoice: Prohibited Vendors
• Address Match (Numeric or Alpha Numeric match)
» Match on zip/postal code plus numeric digits from address field.
» Match on alpha-numeric values from the Address field (no spaces or special characters)
» Invoice: Employee Vendor Address Match – (Phantom Vendor)
• Soundslike Match (phonetic match)
» SOUNDEX algorithm
» SOUNDSLIKE algorithm
» Payroll: Similar Employee Names
» T&E: Different expense cards assigned to employees with similar names
32© 2009 Sunera LLC. All rights reserved.
Data Analytics Rollout Options Insource
Internal resources plan and deploy all CCM initiatives
Outsource
Sunera resources (or other provider) perform all the activities required for CCM rollout
Provide documentation and training to client staff for maintenance of the program
Co-source
Sunera (or other provider) provides the knowledge and expertise and work with client staff
Share the work of developing and creating tests
Provide guidance
Perform reviews of client work conducted and provide feedback / insight
Conduct coaching sessions
Provide ongoing support and advice
33© 2009 Sunera LLC. All rights reserved.
Data Management Consulting Services
Sunera can work with your organization on a time & materials basis to assist with any of the following activities:
Forensic investigations
Cost recovery
Compliance audits
Establishment of a continuous monitoring program
Specific procedures that Sunera can assist with would include the following:
Identification and development of Data Analytics audit programs/procedures
Obtaining access to data tables (i.e. establishment of ODBC connections or data requests for IT)
Script development (basic to complex)
Interpretation of data analysis/results
Confirmation of exception results (i.e. identify any false positives and remove)
Management reporting
Establishment of continuous monitoring procedures/scripts
34© 2009 Sunera LLC. All rights reserved.
Data Analytics Training Option
Sunera Training Offers:
2 or 3 day training classes
Training is hands on and classes are tailored to meets your participants skill level (beginner, intermediate, advanced).
We customize the training by integrating your company data into the seminar so your employees get to work with realistic company scenarios.
Sunera is registered with the National Association of State Boards of Accountancy (NASB) as a sponsor of continuing professional education on the National Registry of CPE sponsors and offers CPE credits to those who attend and completed the training.
Training is provided by a Sunera Director or Principal Level associate with multiple years and project experience using ACL.
We are planning on offering a training course in Calgary in October pending sufficient interest.
Training (classroom instruction)can be provided to organizations directly.
35© 2009 Sunera LLC. All rights reserved.
Contact Information
For additional information on Sunera’s services visit our website at http://www.sunera.com or contact:
Parm LalliDirector(778) [email protected]